Add TCM access control page #3866
Conversation
p7nov
force-pushed
the
gh-3634-tcm-rbac
branch
from
b241d6a to
5a904ed
Compare
| * - ``cluster.lowlevel.state.read`` | ||
| - Read low-level information about cluster configuration (for debug purposes) | ||
|
|
||
| * - ``cluster.lowlevel.state.write`` | ||
| - Write low-level information about cluster configuration (for debug purposes) |
There was a problem hiding this comment.
move it the bottom please to make it
| * - ``admin.lowlevel.state.read`` | ||
| - Read low-level information from |tcm| storage (for debug purposes) | ||
|
|
||
| * - ``admin.lowlevel.state.write`` | ||
| - Write low-level information to |tcm| storage (for debug purposes) |
| - Toggle development mode | ||
|
|
||
| * - ``user.password.change`` | ||
| - Change own password |
There was a problem hiding this comment.
let's remove. seems that we dont use it in tcm, sorry
| set of permissions for each cluster. | ||
|
|
||
| Technically, cluster permissions define pages shown in the **Cluster** section | ||
| of the left menu and controls available on these pages. For example, users |
There was a problem hiding this comment.
Don't quite understand to which word controls refers: permissions, section, menu?
|
|
||
| 1. Click **Add**. | ||
| 2. Fill in the user information: username, full name, and description. | ||
| 3. Generate or enter a password. |
There was a problem hiding this comment.
Not sure but to me enter a password sounds like it should be entered when logging in. I'd think about replacing it with specify.
| and the private key is a password. | ||
|
|
||
| Users receive their first passwords during the account creation. It can be entered | ||
| manually or generated automatically. |
There was a problem hiding this comment.
I'd remove the second sentence here as it duplicates the info from Managing users (and added the link for account creation to Managing users).
| Changing users' passwords | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| Administrators can manage a user's passwords on this user's **Secrets** page. |
There was a problem hiding this comment.
a user's passwords
sounds like a user can have multiple passwords
There was a problem hiding this comment.
This subject is confusing me a bit. The case of one TCM user having multiple secrets (username/password pairs) is technically possible. I didn't describe it on purpose: I don't see a valid real-life usage scenario for this.
AFAIU, this functionality is intended for use when TCM receives more than one way to authenticate users. For example, one user will have three secrets: a password, a certificate, and a fingerprint (whatever, just imagining :)). But right now it doesn't look useful on practice.
@filonenko-mikhail, what do you think? should we describe the case of multiple passwords explicitly (therefore encouraging readers to do this)?
| - **Block after N login attempts**. | ||
| - **User lockout time in seconds**. |
There was a problem hiding this comment.
Are these settings related? Don't quite understand the second one
There was a problem hiding this comment.
Added the descriptions
| - Manage LDAP configurations | ||
|
|
||
| * - ``admin.passwordpolicy.read`` | ||
| - View password policy |
There was a problem hiding this comment.
Looks like the first column should be a bit wider:
| :widths: 30 70 | ||
| :header-rows: 1 | ||
|
|
||
| * - Permission |
There was a problem hiding this comment.
my bad,
user.password.change is actual for access to change own password, please restore it
Co-authored-by: Andrey Aksenov <[email protected]>
|
No we should not
Lets describe that password is one
Ср, 22 нояб. 2023 г. в 06:41, Pavel Semyonov ***@***.***>:
… ***@***.**** commented on this pull request.
------------------------------
In doc/reference/tooling/tcm/tcm_access_control.rst
<#3866 (comment)>:
> +Users receive their first passwords during the account creation. It can be entered
+manually or generated automatically.
+
+All passwords are governed by the :ref:`password policy <tcm_access_control_password_policy>`.
+It can be flexibly configured to follow security requirements of your organization.
+
+Changing your password
+~~~~~~~~~~~~~~~~~~~~~~
+
+To change your own password, click your name in the top-right corner and go to
+**Settings** > **Change password**.
+
+Changing users' passwords
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Administrators can manage a user's passwords on this user's **Secrets** page.
This subject is confusing me a bit. The case of one TCM user having
multiple username/password pairs is technically possible. I didn't describe
it on purpose: I don't see a valid real-life usage scenario for this.
AFAIU, this functionality is intended for use when TCM receives more than
one way to authenticate users. For example, one user will have three
secrets: a password, a certificate, and a fingerprint (whatever, just
imagining :)). But right now it doesn't look useful on practice.
@filonenko-mikhail <https://github.com/filonenko-mikhail>, what do you
think? should we describe the case of multiple passwords explicitly
(therefore encouraging readers to do this)?
—
Reply to this email directly, view it on GitHub
<#3866 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAC2O53SJPLNM4XNQ7XXL4DYFVX6BAVCNFSM6AAAAAA7UKYXAGVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTONBTGQ4TQMZYHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Co-authored-by: Andrey Aksenov <[email protected]>
Resolves #3634 Co-authored-by: Andrey Aksenov <[email protected]>
Resolves #3634
Deployment: https://docs.d.tarantool.io/en/doc/gh-3634-tcm-rbac/reference/tooling/tcm/tcm_access_control/
Add new section TCM > Access Control:
TODO (in scope of #3637 ):